Published in NH Bar News 3/18/2020
Lawyers and law firms face a multiplicity of laws governing information privacy and security, and the regulatory landscape expand continuously. Addressing each applicable law and responding to each emerging regulation is not operationally feasible or cost effective. We need a strategy that gets us and keeps us ahead of the regulatory curve.
Cyber regulations have expanded in two ways: (1) the scope of information covered; and (2) the types of obligations imposed. Early widespread cyber laws covered limited information, known as personally identifiable information (PII). PII consisted of an individual's name in combination with social security, financial account or governmental identification number. Most such laws imposed only an obligation to notify regulators and affected individuals of a breach.
Initial regulatory expansion imposed obligations on businesses to affirmatively identify their cyber vulnerabilities, implement measures appropriate to the business to mitigate or eliminate the risks, adopt an information security policy, and train employees. Massachusetts and California led with such laws, which impacted New Hampshire and other States, since the regulations apply to any business that has covered information about residents of Massachusetts and California. At the same time, federal regulations expanded to encompass many businesses that handle protected health information (PHI) for HIPAA covered entities.
Recent regulatory expansion has dramatically increased the scope of covered information. At first, such laws encompassed additional categories, like genetics, biometrics, geolocation, and social media information. However, now, regulations have grown to cover all information that is identifiable to an individual, including information as basic as name, address, and email, which is simply called personal information (PI). One example of such a law is New York's artfully named Stop Hacks and Improve Electronic Data Security (NY SHIELD) Act.
Recent regulations also dramatically expanded the obligations imposed on businesses with respect to the privacy of PI. Such laws require a business to notify individuals about what PI it collects about them and how it uses the PI, obtain consent from individuals before using certain sensitive PI, and honor rights that individuals have with respect to their PI, such as requiring the business to correct inaccurate PI, give a copy of their PI to individuals and other businesses in a usable format, restrict use of their PI, and delete all PI that the business has about them.
These broad privacy regulations initially emanated from the European Union General Data Privacy Regulation (GDPR) and Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). However, California adopted a similar law called the California Consumer Privacy Act (CCPA) effective January 1 this year, and many other States (including New Hampshire and Massachusetts) have such privacy bills pending in their legislatures. These laws apply extra-territorially to businesses that have PI about residents of those jurisdictions, and engage in business either with those individuals or in those jurisdictions.
Adding to this landscape, lawyers and law firms are ethically required to implement reasonable measures to safeguard client information. Those ethical obligations were discussed in the article Information Security Is Our Ethical Duty, N.H. Bar News (Feb. 20, 2019).
Getting ahead of the regulatory curve requires lawyers and law firms to address both security and privacy for all PI. Doing so means, first, conducting a comprehensive assessment to identify what information the business has, how it is used, and what risks exist to the confidentiality, integrity, and availability of it. Given the complexity of regulations and the lack of experience most lawyers and firms have in this area, it is critical to retain a knowledgeable professional to guide you through the process and select an appropriate compliance regime for the business.
Based on that assessment, you must then implement measures that remediate the risks, adopt policies that comprehensively address current and forward-looking privacy and security issues (including existing and likely forthcoming regulations), and train employees about information privacy and security. While this can seem daunting, lawyers and law firms that commit to the process can and do achieve compliance with information privacy and security regulations.
Cameron Shilling chairs McLane Middleton's Information Privacy and Security Practice Group.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.